1. Field of the Invention
Apparatuses and methods consistent with the present invention relate to controlling program execution, and more particularly to controlling program execution based on virtual machine monitor.
2. Description of the Related Art
In general, security programs such as anti-virus software (AVS) or intrusion detection systems (IDSs) may exist in the area of operating systems (OSs) and application programs, and may perform virus check and removal on OSs and application programs.
Security programs or IDSs may also exist in a virtual machine monitor and may perform virus check or removal in a virtual machine monitor. A virtual machine monitor exists between a hardware device and an OS and virtualizes a hardware device so that a plurality of OSs can operate at the same time. A virtual machine monitor may replace firmware or operate between firmware and an OS. Examples of a typical hardware device include input/output (I/O) ports, memories and other storage devices. Due to a virtual machine monitor, all data can be transferred from an I/O port, a memory and another storage device to an OS or an application program. During this process, a security program present in a virtual machine monitor may perform virus check and removal on data transferred between a hardware device and an OS or an application program.
Conventionally, when an OS is infected, and when a security program or an IDS operates in the infected OS along with an application program, the security program or the IDS is highly likely to be infected as well or the virus check is accidentally skipped.
In addition, even when present in a virtual machine monitor, a security program or an IDS can simply perform short-term monitoring to determine whether an application program is malicious, thus lowering the precision of malware detection and causing false alarms such as false positives and false negatives.
Moreover, malicious application programs that can deceive security programs or IDSs by disguising themselves as legitimate programs have become widespread. It is therefore necessary to avoid false positives and false negatives in malware detection.